Photography site 500px resets 14.8 million passwords after data breach

Photography website 500px has become the latest online brand to admit suffering a serious data breach.

In an advisory, the company said it became aware of the breach last week. It estimates that the breach took place around 5 July last year.

This affected the majority of the site’s nearly 15 million users, who should shortly receive an email asking them to change their passwords as soon as possible.

Data stolen included names, usernames, email addresses, birth date (if provided), city, state, country, and gender. Also at risk:

A hash of your password, which was hashed using a one-way cryptographic algorithm.

The company hasn’t said which hashing algorithms were in use beyond mentioning that any using the obsolete MD5 function were being reset.

The fact it was using MD5 at all is not terribly reassuring for reasons Naked Security has previously discussed at some length.

A sliver of good news:

At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information.

Who is affected?

Everyone who had an account with 500px on or before 5 July 2018 may be affected by the breach. Users who joined after that will also have to change their passwords (which initiates automatically the next time a user tries to log in) although they will receive notification to do this later than the bulk of affected account holders.

Anyone who reset their account password after 8am UTC (3am Eastern) on 12 February doesn’t have to reset it a second time.

If the same or very similar account password was used on any other sites, now would be a good time change those too.

Why is 500px telling its users now?

Because earlier this week The Register got wind of a huge database of 617 million users circulating on the dark web, 14,870,304 of which appeared to be 500px’s.

The 500px said it learned of the breach on 8 February, which presumably was the day it was told that its data was part of this trove.

Several companies whose data was also part of the cache were already known to have been breached, while some others are new and unreported.

Most of the sites had their user data breached in the last year, which underlines how often and easily cybercriminals are still finding their way past organisations’ defences despite the known risks.

Prevention is better than resets

Our advice is to check the list of sites mentioned in that story and, if you have an account, reset the password without delay.

Next, turn on multi-factor authentication in whatever form it’s offered. For 500px it’s SMS-based or app-based 2FA.